DIACAP Essentials + IA Control Validation Training (part 1)

I’ve been scheduled to go to DIACAP Essentials + IA Control Validation training. It is the same training that is given to validators at AFCA, so I guess it is pretty serious stuff. I was very reluctant to go until I realized that I actually really need the CPE’s to maintain my CISSP.

Since I’ve been doing the DIACAP stuff for about 2 years now, I’m not certain there is any new information for me to learn.

DIACAP Essentials
The Department of Defense Information Assurance Certification and
Accreditation Process (DIACAP) Essentials course blends lecture and hands-on
exercises to introduce students to DIACAP policy (to include FISMA
requirements of a comprehensive, repeatable, and auditable Information
Security process).

IA Control Validation In-Depth - 3 Days
The IA Control Validation In-Depth course takes the students DIACAP
education and turns the view from an implementor to a Validator perspective
and involves the students in the validation process for the IA Controls
(DoDI 8500.2).

What I am hoping to get from the course is a better handle on the FISMA process.
I don’t feel like I really have a handle on what is supposed to happen with it.

Popularity: 4% [?]

You Hack US, We Nuke You!

The United States’ top commanding officer for the space and cyber domains told reporters last week that a cyber attack could merit a more conventional military response.

During a press briefing on Thursday, U.S. Air Force General Kevin Chilton, who heads the U.S. Strategic Command, told reporters that top Pentagon advisors would not rule out a physical attack on any force that attacks the United States through the Internet. Currently, the military’s networks are probed thousands of times a day, but the goal of attackers seems to be espionage, not to take down critical networks, he told reporters –

– Security Focus

I don’t believe that military force is the equivalent action for a cyber attack. Arrest and/or apprehension is the physical response necessary for criminal hackers attacking from other countries. Cyber counter-attacks are the correct response for government funded & coordinated attacks.

I think if the U.S. reciprocates a cyber attack x10 when other countries are playing little games, we’d get our message across effectively. We should do so in a well funded and covert way in which the enemy has NO DOUBT that the face slap came from a U.S, hand, but no proof at all allowing plausible deniability. It should be black Ops hacks, very well coordinated, very well funded and full time.

I don’t think the US can be complacent or wrecklessly meek in matters of cyber warfare. Instead, it must be fair, quiet and heavy handed when it comes to one of its most valuable asset, information.

Popularity: 5% [?]

Validation: Track the Results

If you are doing Certification & Accreditation then you know it’s all about the documentation.

But its not just about reviewing the documentation that a system is supposed to have. If you’re in the business of getting systems validated sometimes you’ll have to produce the documentation.

An IA Analyst, system security engineer or Information Assurance Officer (IAO) usually documents the results of their security tests. For example, if they run a Retina Scan they will want to generate a report that has the results of that network or system scan.

DoD Information Assurance Certification & Accreditation (DIACAP) Knowledge Service, the Enterprise Information Technology Data Repository (EITDR) and other IT profile databases have very detailed information on what the final Validators are looking for.

If you’re in line with the final validators you will not have much of a problem, because they will approve the system and move it on to the Designated Approval Authority (DAA).

Popularity: 4% [?]

Dangers of Surfing the Web with an Admin Account

If you bought a Dell or Gateway, more than likely you only have one account on your computer with no password. That account runs as the administrator. If your system has no user name or password applied, it is running as an administrator account.

This is how so many people get viruses. When you surf the web as an administrator is allows malicious applications (viruses, worms, Trojans and other malware) to download to your computer and run as the administrator. This means they can replace system files with viruses, create back doors and harm other computers on your network. They can also spy on you manipulate your browser or do anything else they want to do.

One way to greatly minimize the effects of viruses is to create accounts on your system and only use the administrator account when its necessary. Create a limited user account that you use when surfing the web, getting into your email or doing other small tasks that don’t require downloading or installing applications.

With a limited account, even if the malware is downloaded, it will not be able to install.

Popularity: 5% [?]

More GMAIL Problems

This was news I could not ignore because I really, really like Gmail. These hacks are ridiculous. I hope that google is getting a handle on this. It looks like the accounts are getting hacked with some sort of script that runs from a site or email while gmail is opened:

According to David Airey & gnucitizen.org:
The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forward them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.
– gnucitizen

As many of you already know on November 2nd, MakeUseOf.com’s domain was stolen from us. It took us about 36 hours to get the domain back. As we have pointed out earlier the hacker somehow managed to get access to my Gmail account and from there to our GoDaddy account, unlock the domain and move it to another registrar.

You can see the whole story on our temporary blog makeuseof-temporary.blogspot.com/

I wasn’t planning to publish anything about the incident or cracker (person who steals domains) and how he managed to pull it off unless I was completely sure about it myself. I had a good feeling it was a Gmail security flaw but wanted to confirm it before posting anything about it on MakeUseOf. We love Gmail and giving them bad publicity is not something we would ever want to do.

Now the thing is the domain name domainsgames.org is protected by Moniker and they hide all the contact info for it.

Domain ID:D154519952-LROR
Domain Name:DOMAINSGAME.ORG
Created On:22-Oct-2008 07:35:56 UTC
Last Updated On:08-Nov-2008 12:11:53 UTC
Expiration Date:22-Oct-2009 07:35:56 UTC
Sponsoring Registrar:Moniker Online Services Inc. (R145-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:MONIKER1571241
.
.
.
.
Name Server:NS3.DOMAINSERVICE.COM
Name Server:NS2.DOMAINSERVICE.COM
Name Server:NS1.DOMAINSERVICE.COM
Name Server:NS4.DOMAINSERVICE.COM

More at Makeusof.com

The Google Fix

Popularity: 18% [?]

derad: Malicious “Security Warning” Popups

Here is some good quick advice from my fellow blogger Debra Radcliff:

Panda Security reports increased spread and success of popup “security warnings.” These warnings popup when people surf the Web and hit a malicious or infected Website, and keep flashing their warnings until the user goes to the link, at which time they get infected.

No legitimate security company would do this to a computer, so don’t click the link. Instead, disconnect from the Internet, clear your browser history and restart your computer. If your browser is still flashing warnings, the system will need to be disinfected through anti-virus or a computer restoration service.

Usually these false security warnings are a symptom of something much worse. I’ve had some that will actually not allow you to do much of anything but click on the link in their fake pop-up. What I did was a system restore, but you can also boot in Safe mode and attempt to clean the system.

Popularity: 15% [?]

419 the Nigerian Scam, the movie

Sorin Mihailovici is making a movie about the Nigerian scammers.

419: the Nigerian Scam is about the scam e-mails that people receive daily. The Internet is flooded with e-mails promising money-making business proposals, lottery win notifications, and fabulous inheritances. This is the story of how one man’s involvement with such an Internet scam ruined his life. Before I started shooting, I myself exchanged a few e-mails with real scammers from Nigeria and Ivory Coast. They even send me “documents” certifying all kinds of positions and deals that they have. The inclusion of this real correspondence with the scammers gave an added level of realism to my film.

— Heckle Spray

I hope the movie goes viral, goes on CNN all major news outlets so that people will be cautious about the traps set on the web’s ruthless anarchy. The price of true freedom only available in the newly discovered digital landscape.

While I don’t think an ‘eye for an eye’ type justice will come to all of the third world country online scavengers, I do believe there is hope for potential victims. My hope is in the spark of awareness that can be ignited by media like Sorin Mihailovici’s movie or this little blog. If I can help even one person NOT send a penny to an online liar, then I feel like these words I publish are worth it.

Popularity: 9% [?]

IRS Online Survey ID *scam*

*O.k. This one is pretty funny. Number one “Congratulations” is spelled wrong. But the funniest part is that the IRS does not give money for surveys. They do not care that much about what we think. BTW, if you have this email the links and surveys are phishing sites*

From: survey@IRS.gov
Subject: IRS Online Survey ID :
Date: Tue, 21 Oct 2008 17:07:34 -0400

Congratulations!

You’ve been selected to take part in our quick and easy 9 questions survey
In return we will credit $90.00 to your account – Just for your time!

Please spare two minutes of your time and take part in our online survey
so we can improve our services.
Don’t miss this chance to change something.

To participate in this survey Click Here

This notification has been sent by the Internal Revenue Service,a bureau of the Department of the Treasury.

© Copyright 2008, Internal Revenue Service U.S.A.

Note:
▪ If you received this message in your SPAM/BULK folder, that is because of the restrictions implemented by your ISP
▪ For security reasons, we will record your ip address, the date and time.
▪ Deliberate wrong imputs are criminally pursued and indicted.

Survey ID :
BFSFRZRYBGHRVCPTMSKKLZOFSWKVINCQTMXEYE

Popularity: 5% [?]

state Corporate Compliance fraud

HA! They almost got me! I had a $150.00 USD check ready made out to “Corporate Compliance”. The envelope was wet with my spit and just about to be sealed until I read the print in bold at the bottom:

Requirement code 3001. This is a Solicitation for the order of goods or services, or both, and not a bill, invoice, or statement of account due. You are under no obligation to make any payment on account of the offer unless you accept the offer. Requirement B&P Code 17533.6This Product or service has not been approved or endorsed by any government agency, and this offer is not being made by an agency of the government..

Translation: You don’t HAVE to send us money.. we are not affiliated with the government.. we just want your money.. our service is that we are asking for money. *SCAM*

Annually, I have to file documents to keep my corporation compliant with state & federal law. Although I know this is something that can be done online with my state (Colorado), I usually procrastinate until I completely forget about it. So it is convenient to get the occasional mail reminding me to file. The state usually send a post card with a reminder and a link to their .gov site. The “Office of Corporate Compliance” sends a message telling you the importance of filing your “Annual Corporate Minutes”. They offer to do it for $175 (check or money order). The only problem is that states don’t require minutes filed with them. You are supposed to keep minutes, and other corporate records.. but they are not submitted anywhere. My state requires a re-statement of my Articles of Incorporation (annually over the ‘Net).

I’ll hand it to them, “Office of Corporate Compliance” seal looks authentic at the glance. Once I found out that this was indeed a scam, I realized that they could be doing this in EVERY single state and making a small fortune. If you Google it, you’ll see that they really are doing it all over the nation. They’ve probably been doing it for years.

My question is, how and why has this been allowed to flourish. Each state puts out some sort of can response about it:

Recently, an entity calling itself “[STATE] Corporate Compliance” mailed solicitations entitled “Annual Corporate Minutes Compliance Filing” to numerous [state] corporations. This solicitation offers to complete corporate meeting minutes on behalf of the corporation for a fee. Despite the implications contained in the solicitation, [state] corporations are not required by law to file corporate minutes with the Secretary of State.

Why can’t the state governments come down on this 50 state scam? Perhaps “Corporate Compliance” wording is such that there is nothing the states or any other government can do ANYTHING about.

Heres how I think their scam works:

1) They set up a P.O. Box in each state with corresponding state header on envelops and letters.
2) Search each states corporate data base for corporations with the status (delinquent or non-compliant.. this means the corp. in question did not restate their annual articles of incorporation.)
3) They send the appropriate state letter to the delinquent corporations
4) The corporation pays and send to the P.O. Box that is already typed on the self addressed envelop inside
5) The P.O. Box forwards to the real address of the creators of this system (or franchisers)

Reverse PO Box Lookup
US Post offices will disclose the forwarding location of corporate entities PO Box. So I think I will do one and advertise them right here on this site. I think that there is only one company (or group) behind this mail fraud.

Who is Corporate Compliance Filings, Inc?
I did a Google search for the company and came up with only one organization named Corporate Compliance, the name The Office of Corporate Compliance asked to be put on the checks. The only way they can cash the check is to have an actual corporate entity. Here it is: http://www.corporatecompliance.com/ –> Although there should be a crime against having a terribly shitty 90’s site, I can’t yet pin the scam to these guys… I simply don’t have any evidence at all pointing to this particular site.

When I did a search on the New York business database (where this 90’s Internet Corporate Compliance is from) I noticed that their were two entities with that name: CORPORATE COMPLIANCE FILINGS INC. (foreign entity) & CORPORATE COMPLIANCE LTD (domestic). But then I noticed that Corporate Compliance Filings Inc. is also in the California business database, Colorado business database and all the others.. each one does not list other entities or foreign entity as the registered agents in an attempt to avoiding naming individuals.

If you search the databases you’ll see that they use: CORPORATE COMPLIANCE FILINGS INC., Corporation Compliance Recorder, CORPORATE COMPLIANCE CENTER

Colorado Corporate Compliance

The Colorado Secretary of State’s office has recently become aware that an additional entity, “California Corporate Services”, has mailed solicitations titled “Annual Minutes Disclosure Statement” to businesses in Colorado. These solicitations are similar to those mailed to businesses by “Colorado Corporate Compliance” and “Board of Business Compliance” titled “Annual Minutes Disclosure Statement” or “Disclosure Statement”. These solicitations offer to process corporate meeting minutes on behalf of the corporation for a fee. Despite the implications contained in the solicitations, Colorado corporations are not required by law to file corporate minutes with the Colorado Secretary of State’s Office.

California Corporate Compliance

In very fine print, the document usually has a disclaimer, such as:

“CA Business & Professions Code Sec 17533.6 This service has

not been approved or endorsed by any government agency, and

this offer is not being made by an agency of the government.”

California Corporate Headquarters, Compliance Division

California Addresses:

CALIFORNIA CORPORATE COMPLIANCE
Business Division
3053 Freeport Blvd #310
Sascramento, CA 94518

State Corporate Compliance
916 J Street
Sacramento, CA 95814-2703
form was 4780C

Corporate Compliance Filings
9175 Keifer Blvd # 336
Sacramento, CA 95826

California Corporate Headquarters
Compliance Division
2443 Fair Oaks Boulevard #539
Sacramento, CA 95825
CA-FORM AMDS-03

Massachusetts Corporate Compliance

Recently, an entity calling itself “Massachusetts Corporate Compliance” mailed solicitations entitled “Annual Corporate Minutes Compliance Filing” to numerous Massachusetts corporations. This solicitation offers to complete corporate meeting minutes on behalf of the corporation for a fee. Despite the implications contained in the solicitation, Massachusetts corporations are not required by law to file corporate minutes with the Secretary of State.

Georgia Corporate Compliance

Secretary of State Handel Alerts Corporations to Potential Scam

Atlanta, GA—Recently, an entity calling itself “Georgia Corporate Compliance” mailed solicitations entitled “Annual Minutes Disclosure Statement” to numerous Georgia corporations. This solicitation offers to complete corporate meeting minutes on behalf of the Georgia corporation for a fee. Despite the implications contained in the solicitation, Georgia corporations are not required by law to file corporate minutes with the Secretary of State.

New York Corporate Compliance

Texas Corporate Compliance

Recently, an entity calling itself “State Corporate Compliance” mailed solicitations entitled “Annual Corporate Minutes Compliance Filing” to numerous Texas business entities. This solicitation offers to complete corporate meeting minutes on behalf of the Texas business entities for a fee. Despite the implications contained in the solicitation, Texas business entities are not required by law to file corporate minutes with the Secretary of State.

Oregon Corporate Compliance

Better Business Bureau takes a look at Corporate Compliance

Popularity: 9% [?]

Is Privacy Dead?

Yes.
Privacy is dead and getting deader. So who killed it? We did. We killed it with our nature. We like our tools & technology. We can’t go without our GPS, SIM card loaded cell phones. We don’t really think about how cell Phones can be easily tracked and tell so many intimated details about where you are and who you’re talking to.

We love convenience so how can we go without our Google, Yahoo, MSN searches and our access to the Internet. Never mind the fact that all of these entities track or even record (and send to the government) every thing we do online.

Our nature places privacy last on the list, and convenience and comfort in the top five. I’m not looking down my nose at you. I’m guilty of all of the above privacy sins. I’m not judging your search engine usage or saying you should switch to anonymizers and clusty.com or go phone using an untraceable credit card.. I’ve got my tin foil hat in storage next to my year supply of MRE’s and shot guns.

I’m just pointing out the facts. We give our privacy away, to companies, the government and other organizations.

What is a bit bothersome to me are laws that allow the abuse of what we are willing to give in trust. The protection of the data we entrust to companies, federal, state and local government should not be allowed to be misused neither by

Violations of the 4th Amendment (use of your online history without probable cause) nor by criminal hackers and/or companies selling your information to the highest bidder.

Fair laws that are in favor of the buyer adherence to the 4th Amendment. I don’t think this is a reasonable request. I think the CIO’s who implement opt-out letters sent to clients expect some amount of respect for the information they put out.

Would be pissed if his financial information was stolen.

Popularity: 4% [?]

Next Page »